by Shailesh Tadha - 1 year ago (2016-06-13)
I want to remove all harmful text from user input.
3. by martin barker - 1 year ago (2016-08-01) Reply
1. by Manuel Lemos - 1 year ago (2016-06-21) Reply
I think this is better done on the server side for instance with PHP. If you do it on the browser side, an attacker can still send harmful text to the server.
If you are looking for filtering inputs with HTML, this PHP package can parse and filter out insecure HTML tags.
If you want just filter plain text input, it depends on what you consider insecure, but some solution based of regular expressions may be sufficient.
2. by Christian Vigh - 1 year ago (2016-06-21) in reply to comment 1 by Manuel Lemos Comment
I agree with Manuel. Validation on the client side should only be made to quickly alert the user when his input is invalid, without querying a server.
However, validating input on the client side doesn't guarantee at all that the data that will be arriving on the server will be safe.
This is why you definitely have to check it when it arrives to your PHP script.
I'm aware that there is some double validation in this process ; one on the client side, which will be aimed for quickly alerting the user of possible typos ; and one on the server side, which should be more thorough, and which will be aimed at cleaning possible crappy data sent by potential hackers.